Call screening service for communication devices

ABSTRACT

One example method of operation may include receiving one or more data messages, identifying calls and corresponding call data from the one or more messages, identifying call parameters from the call data, applying a call activity filter criteria to the call parameters to identify a suspect sub-set of the call parameters which indicate an elevated likelihood of call scam, forwarding the call parameters and the suspect sub-set of call parameters to one or more call data tables, and assigning one or more scam designation threshold scores to the suspect sub-set of the call parameters in the one or more call data tables.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application relates to application No. 62/715,658, filed on Aug. 7,2018, and entitled FINGERPRINT, the entire contents of which are herebyincorporated by reference.

Technical Field of the Application

This application relates to call management, and more specifically to acall screening service for communication devices.

BACKGROUND OF THE APPLICATION

Conventionally, mobile device users receive calls from undesired sourcesall the time, every day and sometimes every hour depending on theparticular day. The source numbers which are used to dial the users maybe local numbers, long-distance numbers, anonymous numbers, etc. Thecalls may be spam calls, scam calls, robocalls, etc. With recent updatesto smartphones and the call screen user interfaces used during a call,the sources of the calls are generally displayed in some capacity topermit the user to identify whether to answer the phone call or not.However, there are generally limited tools available to demonstrate thatthe call is likely to be a scam or spam caller, especially in real-timeso a caller can quickly decide whether to answer the call, drop thecall, block the call, etc.

SUMMARY OF THE APPLICATION

Example embodiments of the present application provide at least a methodthat includes at least one of receiving one or more data messages,identifying a plurality of calls and corresponding call data from theone or more messages, identifying a plurality of call parameters fromthe call data, applying a call activity filter criteria to the callparameters to identify a suspect sub-set of the call parameters whichindicate an elevated likelihood of call scam, forwarding the pluralityof call parameters and the suspect sub-set of call parameters to one ormore call data tables, and assigning one or more scam designationthreshold scores to the suspect sub-set of the call parameters in theone or more call data tables.

Another example embodiment may include an apparatus that includes areceiver configured to receive one or more data messages, and aprocessor configured to identify a plurality of calls and correspondingcall data from the one or more messages, identify a plurality of callparameters from the call data, apply a call activity filter criteria tothe call parameters to identify a suspect sub-set of the call parameterswhich indicate an elevated likelihood of call scam, forward theplurality of call parameters and the suspect sub-set of call parametersto one or more call data tables, and assign one or more scam designationthreshold scores to the suspect sub-set of the call parameters in theone or more call data tables.

Another example embodiment may include a non-transitory computerreadable storage medium configured to store instructions that whenexecuted cause a processor to perform receiving one or more datamessages, identifying a plurality of calls and corresponding call datafrom the one or more messages, identifying a plurality of callparameters from the call data, applying a call activity filter criteriato the call parameters to identify a suspect sub-set of the callparameters which indicate an elevated likelihood of call scam,forwarding the plurality of call parameters and the suspect sub-set ofcall parameters to one or more call data tables, and assigning one ormore scam designation threshold scores to the suspect sub-set of thecall parameters in the one or more call data tables.

Still another example embodiment may include a method that includes atleast one of identifying a call from a caller and destined for a callee,receiving a data message associated with the call, forwarding the datamessage to a call processing server, processing the data message toidentify one or more call parameters, comparing the one or more callparameters to an active call scam model applied by the call processingserver, determining a scam score for the call based on the comparing ofthe one or more call parameters to the active call scam model applied bythe call processing server, and determining whether to notify the calleethat the call is a scam based on the scam score.

Still yet another example embodiment may include an apparatus thatincludes a processor configured to identify a call from a caller anddestined for a callee, a receiver configured to receive a data messageassociated with the call, a transmitter configured to forward the datamessage to a call processing server, and the processor is furtherconfigured to process the data message to identify one or more callparameters, compare the one or more call parameters to an active callscam model applied by the call processing server, determine a scam scorefor the call based on the comparing of the one or more call parametersto the active call scam model applied by the call processing server, anddetermine whether to notify the callee that the call is a scam based onthe scam score.

Still yet another example embodiment may include a non-transitorycomputer readable storage medium configured to store instructions thatwhen executed cause a processor to perform identifying a call from acaller and destined for a callee, receiving a data message associatedwith the call, forwarding the data message to a call processing server,processing the data message to identify one or more call parameters,comparing the one or more call parameters to an active call scam modelapplied by the call processing server, determining a scam score for thecall based on the comparing of the one or more call parameters to theactive call scam model applied by the call processing server, anddetermining whether to notify the callee that the call is a scam basedon the scam score.

Still yet another example embodiment may include a method that includescollecting call metric data over a predefined period of time for aplurality of identified calls, querying the call metric data to identifywhether one or more call filtering criteria parameters require changes,determining one or more call filtering criteria parameters requirechanges based on a deviation from one or more expected call metric datavalues included in the call metric data, modifying one or more of thecall filtering criteria parameters, and updating an active call scammodel stored on a call processing server based on the one or more callfiltering parameters.

Still yet another example embodiment may include an apparatus thatincludes a memory configured to store collected call metric data over apredefined period of time for a plurality of identified calls, aprocessor configured to query the call metric data to identify whetherone or more call filtering criteria parameters require changes,determine one or more call filtering criteria parameters require changesbased on a deviation from one or more expected call metric data valuesincluded in the call metric data, modify one or more of the callfiltering criteria parameters, and update an active call scam modelstored on a call processing server based on the one or more callfiltering parameters.

Still yet another example embodiment may include a non-transitorycomputer readable storage medium configured to store instructions thatwhen executed cause a processor to perform collecting call metric dataover a predefined period of time for a plurality of identified calls,querying the call metric data to identify whether one or more callfiltering criteria parameters require changes, determining one or morecall filtering criteria parameters require changes based on a deviationfrom one or more expected call metric data values included in the callmetric data, modifying one or more of the call filtering criteriaparameters, and updating an active call scam model stored on a callprocessing server based on the one or more call filtering parameters.

Still yet another example embodiment may include a method that includesidentifying call data associated with a received call, identifying aplurality of call parameters from the call data, and the plurality ofcall parameters include one or more call routing parameters associatedwith call routing of the call and one or more call session parametersassociated with a call session of the call, assigning weights to one ormore of the call routing parameters and the call session parameters,determining a scam score for the call based on a sum of the weightsapplied to the call routing parameters and the call session parameters,and blocking the call when the scam score is greater than or equal to apredetermined threshold scam score.

Another example embodiment may include an apparatus that includes aprocessor configured to identify call data associated with a receivedcall, identify a plurality of call parameters from the call data, andthe plurality of call parameters include one or more call routingparameters associated with call routing of the call and one or more callsession parameters associated with a call session of the call, assignweights to one or more of the call routing parameters and the callsession parameters, determine a scam score for the call based on a sumof the weights applied to the call routing parameters and the callsession parameters, and block the call when the scam score is greaterthan or equal to a predetermined threshold scam score.

Another example embodiment may include a non-transitory computerreadable storage medium configured to store instructions that whenexecuted cause a processor to perform identifying call data associatedwith a received call, identifying a plurality of call parameters fromthe call data, wherein the plurality of call parameters comprise one ormore call routing parameters associated with call routing of the calland one or more call session parameters associated with a call sessionof the call, assigning weights to one or more of the call routingparameters and the call session parameters, determining a scam score forthe call based on a sum of the weights applied to the call routingparameters and the call session parameters, and blocking the call whenthe scam score is greater than or equal to a predetermined thresholdscam score.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example call management network configurationaccording to example embodiments.

FIG. 2 illustrates a flow diagram of an example method of processingcall data according to example embodiments.

FIG. 3 illustrates a multi-server call management configurationaccording to example embodiments.

FIG. 4 illustrates a call audit and monitoring system configurationaccording to example embodiments.

FIG. 5A illustrates a call parameter processing diagram for performingcomposite score analysis according to example embodiments.

FIG. 5B illustrates a call content processing diagram for performingcomposite score analysis according to example embodiments.

FIG. 6A illustrates a set of call message parameters in an active callrequest according to example embodiments.

FIG. 6B illustrates a set of call message parameters being processed andcompared to historical call data according to example embodiments.

FIG. 6C illustrates an example of a current call having its callparameter data compared to established call parameter thresholds forscam scoring purposes according to example embodiments.

FIG. 7A illustrates a call system configuration for monitoring call dataand obtaining call scoring model data according to example embodiments.

FIG. 7B illustrates a call system configuration for applying call datato current calls according to example embodiments.

FIG. 7C illustrates a call system configuration for auditing call dataand obtaining updated scoring model data for call scam filteringaccording to example embodiments.

FIG. 7D illustrates a call system configuration for applying callmanagement scam filtering to call data for an incoming call according toexample embodiments.

FIG. 8 illustrates a logic diagram with example data input and outputparameters for performing call processing according to exampleembodiments.

FIG. 9 illustrates an example network entity device configured to storeinstructions, software, and corresponding hardware for executing thesame, according to example embodiments of the present application.

DETAILED DESCRIPTION OF THE APPLICATION

It will be readily understood that the components of the presentapplication, as generally described and illustrated in the figuresherein, may be arranged and designed in a wide variety of differentconfigurations. Thus, the following detailed description of theembodiments of a method, apparatus, and system, as represented in theattached figures, is not intended to limit the scope of the applicationas claimed, but is merely representative of selected embodiments of theapplication.

The features, structures, or characteristics of the applicationdescribed throughout this specification may be combined in any suitablemanner in one or more embodiments. For example, the usage of the phrases“example embodiments”, “some embodiments”, or other similar language,throughout this specification refers to the fact that a particularfeature, structure, or characteristic described in connection with theembodiment may be included in at least one embodiment of the presentapplication. Thus, appearances of the phrases “example embodiments”, “insome embodiments”, “in other embodiments”, or other similar language,throughout this specification do not necessarily all refer to the samegroup of embodiments, and the described features, structures, orcharacteristics may be combined in any suitable manner in one or moreembodiments.

In addition, while the term “message” has been used in the descriptionof embodiments of the present application, the application may beapplied to many types of network data, such as, packet, frame, datagram,etc. For purposes of this application, the term “message” also includespacket, frame, datagram, and any equivalents thereof. Furthermore, whilecertain types of messages and signaling are depicted in exemplaryembodiments of the application, the application is not limited to acertain type of message, and the application is not limited to a certaintype of signaling.

Example embodiments provide a call scoring, monitoring, auditing and/orprocessing platform configured to provide call screening of potentialscam/spam callers. The term ‘scam’ and ‘spam’ are used interchangeablyand are intended to identify various types of unwanted/unexpected calls,such as those calls which are attempting to defraud persons of moneyand/or sell products and services which are undesirable and unexpected.Those types of calls usually tend to be performed by certain originationcall number sources and call number prefixes which can be readilyidentified and which are used to perform large-volume calling oftargeted user devices. The calling sources may use dynamic call routingfeatures which change numbers, locations, etc., however, certaincharacteristics may be identified to limit the scam caller entities'success in communicating with intended call recipients.

FIG. 1 illustrates a call management configuration for monitoring andscreening calls based on a call model, according to example embodiments.Once a call model is created and distributed to certain servers, at thestart of any particular call to a client end user device, the callprocessing platform service server 110 may receive a SIP INVITE packet102, which is provided to the call management service to produce a scamscore 104. The service 110 sends the INVITE packet, plus additional datato the active model or models 122-128 for scoring purposes. Each of themodels may be located at a different server or site and may be used toprovide a composite score, such as an average score from all the scoresobtained. The additional information includes data, such as the numberof calls the calling number has made in a recent time interval, such asthe last six minutes and/or a one minute time interval. Each modelreceives the INVITE and additional data, then “scores” the incoming calland returns the numerical score along with a scam/spam flag (yes/no)depending on the score value. The call service 110 may compute acomposite score from the model score(s) and return the final score and acorresponding scam flag back to the requesting entity. The auxiliarydata 112 may include model specific tables, call data, scoring criteria,etc.

With the call management system, the call management service, as well aseach of the model(s) is a separate independent process. Processseparation provides fault isolation, as well as simple upgrades to newerversions. Additionally, new models can be dynamically added or removedwithout stopping and starting the call management service. Thefingerprint service scoring model for caller-to-callee (landline tomobile, mobile to mobile, mobile to landline, landline to voip, voip tomobile, voip to landline, voip to voip, mobile to voip, etc.) calls isbased on the notion of quantifying and scoring suspicious activity.Suspicious activity is a binary feature, which assumes a value ofsuspicious or non-suspicious depending on a relative scoring model. Thevalue is derived from multiple binary outcomes that are generated fromstatistics of historical call data. The modeling scheme used by the callmanagement server and corresponding scoring model servers, buildsseveral scoring tables and where each table summarizes the percent ofsuspicious activity relative to the total number of incoming calls.Table keys depend on a summary of interest, such as the NPANXX of thecalling number or the from IP field of the session initial protocol(SIP) header of the call.

Each scoring table can be built using a predetermined amount of time ofincoming call data, such as, for example, six minutes. This data is usedas a training model, which is then applied to the subsequent 6 minutesof incoming call data for testing. A proprietary scoring algorithm isused to assign a ‘scam score’ based on the degree of suspicious activityin the training data. Also, neighborhood calls and non-neighborhoodcalls are scored independently using weighted models to combine tablescores and real-time data. “Scam likely” calls are identified usingmethods similar to multivariate adaptive regression splines to determinewhen a score deviates from normal.

Decisions are guided using machine learning methods, such as K-meansclustering. K-means clustering is a machine learning technique usedduring the model trainer process to identify likely spoofing behavior.It is a supervised learning technique which is used to identify ‘spoof’like behavior in multiple changing sub-parameters, such as ‘NPA’,‘NPANXX’, ‘NeighborhoodScores’, etc.

The call management application and service permits for real-timeanalysis of phone call data as the calls arrive, for example, SIP INVITEmessages which are received by a call server may forward the SIP INVITEinformation to the call processing server for scam analysis prior toringing the end user's device as an active call so that a scam/spamanalysis and determination can be made before connecting the call.Utilizing a ‘hot-swappable’ data model(s), the call management serviceis able to adapt to constantly changing scammer tactics. This approachprovides the call management service with the ability to analyze phonecall data intelligently and accurately without just relying on phonenumbers alone. The call management service used a “fingerprint” of thecall to identify phone numbers that may have been “spoofed”. Theprocessing occurs in milliseconds as phone calls are initiated toprovide a level of protection to the consumer that impacts neither theconsumers' devices nor their legitimate phone calls.

In some examples of scam calling, a scammer may use an automated callingplatform to places calls using a single phone number in a repetitivemanner. This approach is identified by the call management applicationsand that particular scammer's number is then blocked by adding theidentified number to a black list file of numbers which are notpermitted as call destinations to protected users implementing the callmanagement application. As a scammer receives a blocked status, they mayrecognize the failed number status and then begin rotating othertelephone numbers as other origin call origination points from a pool ofnumbers they currently own and operate. Other approaches taken by callscammers is ‘spoofing’ numbers, which is when they use a number ornumbers from known businesses, pretending to be a real call but insteaddelivering different call purpose information. The call recipient mayrecognize the number or trust the number and answer the phone only todiscover a spoofed call. More recently, call scammers are now spoofingnumbers that have a same area code and prefix, such as the first 3, 4,5, 6 or even more numbers as the call recipient so the call recipient ismore likely to familiarize with the telephone number calling and thusanswer the call. Some other known call scam tactics include calling andhanging-up immediately, or making two concurrent calls, one to hold theline busy while the second one reaches the callee's voice mail. Bothmethods are attempts to reach the callee and have them return the callat a later time. As each call scam method is identified, scammers evolvetheir methods to reach more call candidate victims. As a result, thecall scam number identification procedure must recursively track thecurrent scammers and apply call scam detection in an ongoing processsometimes several times within a single hour.

As the scammers started ‘spoofing’ numbers, the calling number which isdisplayed to the call recipient may actually be from a legit entity orbusiness and may not deserve to be blocked. Blocking the number couldaffect the legitimate business since their calls cannot then reachcertain intended callees. As a result, the calling number identified isgenerally not a reliable source of information. The call managementapplication according to example embodiments does not rely on a callingnumber as call monitoring and/or blocking criteria, but instead variousother call origination data that is created from a calling party's callsetup information (i.e., call attempts) which are identified as beingdestined for a destination carrier network. Depending on the actualorigination location of the call, the call setup data can change as thecall request progresses. By identifying the call route data, theapplication can identify a pattern of actual legitimate callsoriginating from a particular business vs. a spoofed call pretending tobe from a particular business. The application is used to examine thedata for each call session to decide whether the call should bepermitted to pass to the end user recipient or be screened according tocall screening criteria.

In another example embodiment, there may be multiple installations ofdifferent scoring models. Each scoring model is setup to look for one ormore specific scam scenarios and return a score back to the application.Since there can be multiple active scoring models, the application mayaccept a number of computed scores to calculate one final score based onan average of the computed scores. As each call is received, the callsession information may be forwarded to the application. The call canthen be distributed to all the installed scoring models. A score isreturned from each model to the application. The application calculatesthe final score (e.g., average, maximum score, total score, etc.), andthe final score is returned back to manage the call. The call is thenrouted appropriately based on the score and one or more user preference(e.g., complete the call, drop the call, send to voicemail, etc.).

FIG. 2 illustrates one example embodiment of a logic call flow diagramfor creating a call management training platform. The trainerapplications used to enforce call management, for end users via aprovider call management system, require setup, updates and dynamicconfigurations. For instance, the call processing models used by thecall management servers must be created/updated in short periods of timeto provide updated call pattern information. Such call patterns may berecently emerging and/or new types of scam/spam calling that can beidentified and shared as updates to the call models stored oncorresponding distributed servers. Scoring algorithms applied toidentified calls may be performed by pre-scoring calls and then used asthe basis for actual scoring applied to recently updated call models.Once a model is created or updated, the model may be distributed andused for all ongoing call screening efforts.

In operation, the diagram 200 includes incoming call data beingidentified and processed 212 to determine model parameters 214 toinclude for each call as part of the call model. The calls may beaggregated by relevant scoring fields 216 and the model can then becreated 218, assigned a version number 222 and new scoring matrix datasince the last model and then published 224 to all relevant serverswhich aid in the use of the call data for updated scam managementprocedures.

FIG. 3 illustrates a high-level system configuration of the callmanagement service hierarchy according to example embodiments. Referringto FIG. 3, the configuration 300 includes a data replication servicewhere call data, updated models and other data 302 are received at amaster call management service server 310 and stored in an auxiliarydata cache 312. The call management master 310 may be an elected masterthat is responsible for delegating the model updates to the otherservers in the call management infrastructure via an automatedreplication service that propagates the data to the other entities inthe network.

The data management of the call management servers 310, 322 and 324,each of which are deployed at a different data center site location, isperformed by a centrally managed server which may be the same orseparate from the call management service master 310. When updates aremade to the master data sets and corresponding models, such call modeldata is then persisted as updates to each of the service servers, eachof which references its own auxiliary data cache 312 where the updatesare stored to perform call processing and screening.

Once the auxiliary data cache 312 for one of the servers 310 is updated,that data is then synchronized with the other call processing serverslocated in different sites. All of the servers 310, 322 and 324 thensynchronize with each other to ensure that all instances have the mostupdated data. The different call server services 310, 322 and/or 324 maybe used to provide redundancy in case one or more fails. As each callenters a network, the calls are routed to the different servers toprovide load balancing and other optimal call routing features whenattempting to connect a call. All call servers identified in FIG. wouldideally have the call screening data, updated, and available to limitcall pass-through to call recipients according to the call screeningmanagement criteria.

The “hot-swappable” nature of the servers is made possible by thedeployment process where all models will be deployed using a packagemanager application, which permits for certain operations to occurwithout taking down or restarting the servers. For example, new modelscan be added dynamically, old models can be retired dynamically, whichis performed using an erase/uninstall feature of the package manager.Also, model versions can be updated and all updates may reach all of theservers in all of the different data centers.

The call management service permits for real-time analysis of phone calldata, such as SIP INVITE messages received, as the calls are takingplace. Also utilizing ‘hot-swappable’ (i.e., active replaceable) datamodels, the servers can receive updates to identified scam/spam callertactics as they evolve on a minute by minute, hourly, and/or dailybasis. The call server may analyze phone call data more intelligentlyand accurately than relying on source phone numbers alone.

Upon receipt of the scam score, the call processing server may “tag” thephone call with one or more of the following identifiers (i.e., flags)based on decisions made by the call processing logic. Some calldeterminations may include to block the call, send the call tovoicemail, tag the call as ‘spam’ per customer requirements, such as,for example, “Scam Likely”, which is presented on the user's interfacescreen during the call ringing operation. This list is not all-inclusiveas those skilled in the art will recognize other call managementoperations which may be applied to calls which are identified asunwanted and/or undesirable.

The call management service computes scam scores based on call signalingdata, such as the data contained with the SIP INVITE of the call itself.Also, historical phone number keyed data may also be referenced. Forexample, a database of phone numbers that have been reported byconsumers as “scam” or “nuisance” are referenced during the callreceiving and processing operation. Call volumes and metrics, such asphone call durations are also identified as history information that canbe referenced for call designation purposes since a long history ofshort calls can be readily identified as spam callers from a particularsource.

The data provided by the call record service is necessary to compute acall spam/scam ‘scam’ score. In computing the scam scores, the callmanagement server sends the SIP INVITEs to all the call models stored onvarious call processing servers. Each model may be unique and may makeuse of some, all, or none of the following auxiliary data sources: callhistory data, a local exchange routing guide (LERG), location numberportability (LNP), lookup tables (specific to particular models), etc.Also, multiple independent models can be used simultaneously to computescam scores. The call processing servers will return a calculatedcomposite score based on all applied models as well as the individualscores computed by each model.

In operation, the call processing server interacts with call managementinterface modules to receive SIP INVITES that are received directly fromthe call processing modules. The SIP INVITEs are then forwarded to themodels for scam score calculation(s). Upon receipt of the scam scores,the call management server calculates a final scam score and sends thisscore back to call processing modules, which then passes this scorealong to internal modules that will use the information for furtherprocessing of the call.

Transmission protocols, such as user datagram protocol (UDP) andtransmission control protocol (TCP) are both supported by the callmanagement server so the call processing modules can send the SIPINVITEs over either protocol for processing. The auxiliary data cache isa collective term for any data utilized by the models other than SIPINVITES. Each of the different datasets may be updated with differentfrequencies. For example, LERG may be updated monthly while some lookuptables may be updated daily. Also, SIP INVITES may be instead othertypes of call signaling used to setup a digital voice call between acall originator and a call recipient. The call invites may be identifiedas being sent from the origination device and/or other networkcomponents along the call request route. For example, a last relayingpoint (i.e., device) in a communications network, may be considered acall request origination or part of the call path origination.

The scoring model for scam call assignments and filtering formobile-to-mobile or any type of device/protocol calls is based on thenotion of quantifying and scoring suspicious activity. Suspiciousactivity is a binary feature, which assumes a value of ‘1’ (suspicious)or ‘0’ (non-suspicious). The variable is derived from multiple binaryoutcomes that are generated from descriptive statistics of historicaldata, derived scores, and features obtained from the session initiationprotocol (SIP) header. This approach may include a decision tree modelbased on features, such as a ‘scamScore’, ‘scamFlag’, ‘PSTN parameter’,‘autoDialFlag’, and ‘possibleSpoofFlag’. For example, a call is deemedsuspicious if the scamScore>69 or the scamFlag=1.

The score modeling scheme may, for example, construct different scoringexamples, each table summarizes the percent of suspicious activityrelative to a total number of incoming calls. Those skilled in the artwill recognize that any number of tables used to identifysuspicious/scam calls may be used depending on the goals of the callmonitoring effort. Aggregate functions are used to compute a totalnumber of calls (all calls) and a total number of suspicious calls,which include those which may be identified according to a certain typeof filter criteria. Then, a separate scoring function is used to score alevel of suspicious activity based on the total number of calls. A briefdescription of the scoring examples used as call management criteria isdiscussed below, and a separate scoring function is used to score thelevel of suspicious activity based on the total number of calls. Thenumbering convention used is based on a North American phone numberingconvention, such as the NPA-NXX-XXXX scheme, wherein the value ‘N’ isany digit from 2-9, and ‘X’ is any digit from 0-9. The first threedigits ‘NPA’ identifies the 3-digit numbering plan area (area code) andNXX identifies the central office. The last four digits are customizeddigits for a particular customer account.

According to example embodiments, one approach 1) may be to identifycalls destined to NPANXX, which summarizes suspicious call activitygoing into an NPANXX. Another approach 2) may be to identify callsdestined to NPANXX+SIP, which summarizes suspicious call activity at aNPANXX and a specific SIP signature. Yet another approach 3) may be toidentify calls destined to NPA+PSTN, which summarizes possible spoofactivity going into an NPA and a specific PSTN parameter. Otherapproaches for call tracking criteria may include 4) a call from acertain NPANXX+PSTN, which summarizes possible call spoof activitycoming from an NPANXX and a specific PSTN parameter. Yet anotherapproach may include 5) a call from NPA+IP, which summarizes suspiciouscall activity coming from an NPA and a specific IP address. Stillanother example may include 6) a call from NPA+SIP, which summarizessuspicious call activity coming from an NPA and a specific SIPsignature. Still another approach may include 7) a call to aNPA-3/4/5/6, etc., which summarizes suspicious call activity coming intoNPAs where the number of matching digits between the ‘from’ and ‘to’phone numbers equals 3/4/5/6, etc. For example, a called number from acalling number may share an area code of 555 as three digits and anymore shared digits between caller and callee would increase the numberfrom three to however many digits are the same between the numbersassigned to the calling and called parties. Still yet a further examplemay include 8) calls to a NPANXX autodial, which summarizes autodialercall activity coming into a specific NPANXX. Another approach mayinclude 9) calls based on summarized neighborhood activity (i.e.,numMatchDigits>3) for each phone number identified.

When creating a scoring table and scoring table criteria, the table maybe built using incoming call data from a 6-minute window. This data isused as a training model to establish scam scores and filtering data toapply to subsequent call management operations. The scores computedduring training are applied to a subsequent fixed time (e.g., 6-minute)interval of incoming call data for scoring purposes. For example,neighborhood calls (numMatchDigits>3) and non-neighborhood calls arescored independently using weighted models to combine table scores andreal-time data. “Scam likely” calls are identified using methods such asmultivariate adaptive regression splines to determine when a scoredeviates from normal. Decisions for designating calls, callers, etc., asscammers may also be performed using unsupervised machine learningmethods, such as K-means clustering.

According to example embodiments, the different tables constructed maybe used to represent a representation of scam/suspicious activity for agiven time frame. As time progresses, older models grow less relevant.Tables are dynamically created to represent the current behavior ofin-network calls, not static rules about how calls with certainattributes are always more or less disposed to scam or suspiciousactivity. Since the behavior of in-network scam calls are constantly ina state of change, the table models must also be dynamic. After trainingphases are completed, the trained call management models are thenpublished to a call management system, which resides inside of atelephone carrier's distributed data center, which is the networkinfrastructure which routes and connects calls between end users (e.g.,businesses and consumers).

There are two primary forms of model/table data, including streaming andtransactional data. Each type of data update may be granted atime-to-live (TTL), which determines how long the record may exist.Transactional models are trained/created over an arbitrary period oftime based on some previous time period's activity and then sent to thecarrier call handling system. All prior instances of the transactionaldata are removed all at once, and the new data is loaded and used all atonce. This data must be treated as a unit. While the system receives thenew transactional tables and loads them, the old transactional model canbe used. The new transactional models are not used until they are fullyloaded to the phone carrier's call processing systems. At this point,those new models will be used in place of the former version. Streamingdata models are also trained and created over an arbitrary period oftime, and are based on some previous time period's activity as well. Thedifference with streaming data is that it may be streamed to the carriernetwork, one change at a time, with the specific updated data elementbeings overwritten, while other fields remain the same. Streaming datatypically represents a caller/called party's profile informationpertaining to a particular network.

An example of a transactional model would be a neighborhood level score,for a specific list of a NPANXX, that would need to be updatedcompletely, for each defined time period. For example, P0 (time periodP′N′)=501555->NeighborhoodScore=10, 501554->NeighborhoodScore=20,501553->NeighborhoodScore=10, and P1=501555->NeighborhoodScore=0,501554->NeighborhoodScore=100. The update may be performed as an atomic,full-refresh type of transaction, meaning that during P1, a caller orcall receiver which has the NPANXX=501555 should always returnNeighborhoodScore=0, and 501553 should not return anything, since it wasnot included in that period's update.

In an example of a streaming data model, a particular key's values canupdate independently, and do not need to be treated as a unit of datawhich must be replaced each data update iteration. For example: for aperiod of time P0=501555->NumberOfCalls=2(TTL=4),P1=501554->NumberOfCalls=10, 501553->NumberOfCalls=1,P2=501555->NumberOfCalls=3(TTL=4). In this streaming update scenario,501555 should still exist in P1 with a value of 2 since it was given aTTL of 4 periods. When a P2 update arrives, the count should now be 3,and the TTL should be an additional 4 periods after P2. Neighborhoodcalls are treated differently than non-neighborhood calls in that thereare specific scores that are based only with non-neighborhood calls andother scores which are based on some neighborhood calls. The scores aredifferentiated because they represent different kinds of calls. A callbeing designated as ‘neighborhood’ or ‘non-neighborhood’ affects boththe scoring model and the calculation of a score in real time.

When in a training stage, the call management application may rely onmultiple data points/parameters, which are used to pre-score the calldata. The data points include but are not limited to: a call numberNPANXX**** (full phone number), call number parameters NPANXX (to/from),call number parameters NPANX (to/from), call number parameters NPAN(to/from), call number parameters NPA (to/from), IP address information(to/from), network information of the network generating the call,network information of the destination, network information of anynetworks the call has traversed, PSTN specific parameters, altered andunaltered SIP data, call activity within multiple time periods, localrouting numbers (LRNs), P-asserted identify, request URI, supported, Maxforwards, SDP, content length, etc.

The function of all pre-score values, as input parameters to an overallscoring function results in the score to be used when screening calls.The overall scoring function depends on the type of scoring beingperformed on a network call event. In one example, a basic scoring modelmay contain four to five fields: 1) score name, which is a name of thescore represented, such as to/from NPAScore, NeighborhoodScore, etc. 2)primary key, which is a first key matched to get a score, which could beany value, but which value is matched and which is based on the scorename (to/from NPA, NPANXX, full phone number, pstn parameters, etc.), 3)secondary key, which is the second key matched to obtain a score, unlikethe primary key, this secondary key is optional, 4) subscore/prescore,which is used to meet a score criteria and match the primary andsecondary keys, and an overall score, which is a function of allsubscores, the output of which is the score used in callhandling/routing and decision making regarding call managementdecisions.

Audit criteria may be certain research data that is determined from areal-time data stream, and which is sent back to the call model trainer.This information is used by downstream models for further trainingpurposes, as well as for audit personnel and automated audit tools whichperform audit checks and reporting on the current condition andintegrity of the call management system. This information may includethe phone number, the score, the model used to generate such a score,and all parameters used as part of the current scoring function.

Certain demographics may be used to identify a neighborhood of acaller/receiver, similarity between the calling and called parties,etc., so that during a call training session, calls are viewed as awhole from a carrier network, trends are located, and certain numbersare placed on a suspected scammer source list. The trainer feature mayoperate independent of the numbers being scored for scam purposes. Thetrainer function trains models/tables in the cloud network environmentbased on some prior period of time for identifying call activity. Calldata is streamed to the cloud network, which is then used for trainingpurposes. After training, the trained information is published back tothe carrier network. The carrier network is responsible for usingmultiple scores provided by the trainer, to then perform a function tocreate an overall score. The overall score is then used by the calltreatment software to accept or reject an individual phone call. Becausea carrier network is typically distributed across the United States,overall scores using the same training data may vary, since some of thetrained data may depend on the location (i.e., demographic) of thecarrier network which receives the call. For example, a carrier networkserver A may be located in San Francisco, Calif., and a carrier networkserver B may be located in New York City, N.Y. If an identified call isrouted through server A, and a score representing neighborhood activityin a suburb of NY may compute a score of 1, as only few NY calls havebeen routed through San Francisco. Depending on the model, the score of1 may indicate that this is highly suspicious activity, or may indicatethat it's not suspicious. The call model is able to use context, such aslocation, via sub-scores/pre-scores, to determine accurate scoring whichcan be applied to call control features.

One example process of managing scores may include calculating subscoresfor each caller such as a scam score, and other flags. For each call,calculate a ‘suspiciousFlag’ for that call, create a series of countsfor a number of different metrics (e.g., a certain section(neighborhood) associated with the A or B device number). The totalcount of calls and the number of calls that are in some way considered‘suspect’ are identified, then the percentage of suspect calls among allcalls for the metric are calculated, and the number of total calls,suspect calls, and percentage to calculate a score for the given metricare used. The call model, once completed, may be considered ‘trained’and is then published to the call management system. The trainerfunction reads from a stream of call data that supplies a number offields dealing with a call event, relating to the ‘A’ (i.e., caller) and‘B’ (i.e., called) numbers, as well as other fields that indicate howthe call was connected in the network, including the time the call wasplaced. During training, call activity on a phone carrier's network isanalyzed to build a series of models and activity profiles whichrepresent ‘normal’ behavior. Outliers are then identified andadjustments are made to the activity profiles to build the final models.

In general, the auditing service is performed for improvement of aparticular training model. For example, data input can be used forretraining of downstream data models, identifying why a call was treateda certain way, helping legitimate autodialers/robodialers, such asemergency notifications, political calls, debt collectors, etc., reachtheir intended audiences, and other similar use cases.

FIG. 4 illustrates an example call monitoring procedure according toexample embodiments. Referring to FIG. 4, the configuration 400 providesa cloud service 430 being configured to monitor the call managementserver's operations and metrics. The call management server 410 willhave its execution and performance monitored by a cloud managemententity. For example, certain metrics will be monitored and reportedperiodically. The metrics which are monitored and the frequency of themetrics being monitored may include a heartbeat signal for the callmanagement server being monitored at once-per-second with a check-inoperation ensure it is still operation, an average latency, which is theaverage time calculated over one minute that it takes for the callmanagement server to receive a request, forward it to the callmanagement server models, receive all model scores, and return aresponse to the call processing platform. Another metric to monitor isthe number of calls per minute, which is scored by the call managementserver over a one-minute interval. Additional metrics may need to beincluded to ensure adequate monitoring of the system and models used tomanage calls.

The monitoring operations will be facilitated by the use of a transportlayer security (TLS) 1.2 tunnel 432 to permit a connection between theservers, so the call management server 410 can operate an accumulatorfunction 420, which will forward the metrics, via the mediator function422, to the cloud management server(s) for constant monitoring. Sincethe call management server 410 is separate from the call processingplatform, if the call management server does not provide a scam score tothe call platform in a reasonable time, for a particular call, then thecall will still be processed without a scam score and without anyerrors.

If one of the call processing models and the corresponding servers fails(i.e., crashes), the call processing server will calculate a final scamscore using the scores obtained from the other models which are stilloperational. If a model has failed (crashed), the call processing serveris notified and will restart the crashed model. The model will notgenerate scores until it has been restarted successfully. The callprocessing server will keep a “heartbeat” operating on all activemodels. If a model becomes unresponsive ‘hung’, the call processingserver will terminate the model and restart the model in an attempt tocorrect the failure. In order to provide real-time call processingresults, the call processing server maintains a timer for each INVITEthat is sent to each model for scoring purposes. If the timeout isreached before a score is returned the call processing server willcontinue score calculation without that slow model's score.

All data elements used in computing a scam score for a particular callwill be retained on-site (upon the server it originated) for 90 days.This data is being collected for auditing (investigating why aparticular call was blocked, tagged, etc.). Queries on this data will becontrolled by the accumulator. Only the specific data entries that areused for a particular call are included in the data that is saved forauditing. The SIP INVITE contains all of the information about the call.The call processing server and its corresponding models use the SIPINVITE in determining each calls' scam score.

In a call processing example, the calls are identified with certaininformation, such as a timestamp, which is the time at which the callwas initiated, a ‘Phone A’ parameter, which is the phone number thatinitiated the call, a ‘Phone B’ parameter, which is the phone numberreceiving the call, LERG data, which is the data that is used by somemodels to calculate the scam score, call history data, which is the dataprovided by the call history database that some models may use tocalculate the scam score, model input data, which is the data that maybe used by one or more models, model 1, 2, 3 . . . N scores, which areeach of the models' individual scores. Other information may includecomposite scores, which are the final scam scores calculated using theindividual models' scores.

Access to the audit data will be provided through a web interface whichwill be available to the service provider and clients of this callmanagement service, provided those entities have the proper permissionsand credentials. Access to this web interface (UI) will be controlled byrequiring that users of the service are both connected to the client'svirtual private network (VPN), and have been assigned the appropriateapplication permissions in their respective domains. An auditing servicewill connect to the audit service via a web browser and will be able toview the audit data in a searchable, filterable, tabular format. Thesearch window may be limited to a 24-hour period to prevent unnecessarystrain on the underlying audit service search system. All queries andtheir responses are encrypted with elliptic-curve encryption or any typeof suitable encryption. The call management auditing service will alsomake a connection to the call management platform. Each edge server/callprocessing server has its own auditing service that will search withinthat edge server's audit data. The results across all edge servers arecompiled when a search is executed by the audit service. An auditservice will be operating on each accumulator and each audit UI servicewill be able to query all the auditing services operating on all theedge servers. All queries executed on the auditing UI service will belogged including the username/email address, etc., as it is definedwithin the domain of the service executing the queries. The queries willbe logged on the audit services. A summary of the audit data that willbe propagated from the call processing server to the call historyinformation. The data elements listed are per each call that is scored.Some of the call elements are inputs to the call processing server andits applied call scam models.

FIG. 5A illustrates a call parameter processing diagram for performingcomposite score analysis according to example embodiments. Referring toFIG. 5A, the configuration 500 provides a call processing platform 512as a core carrier unit that receives call messages from new calls andwhich may forward the call message data 522 to a call management server520, which stores the call data in a local or remote database 312 foreasy reference purposes. As the call data is received in real-time, theactive score model from each server may be received and compared withthe other scores from other servers to create an average score orcomposite score 530 used to enable a scam score 52. The highest/lowestscore may be thrown out to adjust a score curve before making a scamcall decision based on the median scores calculated.

FIG. 5B illustrates a call content processing diagram 550 for performingcomposite score analysis according to example embodiments. Referring toFIG. 5B, the call data may be analyzed for scam potential in an activecall request by performing payload and/or call content 542 analysis toidentify the content of the calls. Examples of content analysis include,voice vs. non-voice data, call duration, recorded voice vs. non-recordedvoice data, dual-time multi-frequency selections (DTMF), wordsidentified from the recorded call content, etc. If a call's content isidentified as being predominantly recorded voice samples, shortdurations, repetitive content from a histogram sample or other DSPsample 546, then the call may be identified as scam or may be scoredhigher as having a higher scam likelihood from the content of the call544.

FIG. 6A illustrates a set of call message parameters in an active callrequest according to example embodiments. Referring to FIG. 6A, thereare numerous call parameters 600 in a single call. The call may beplaced by any “A” caller, which may be identified as the caller that iscalling a callee. The “A” caller may be identified simply by an assignedtelephone number and may be dialing a single callee or “B” party/calleeat any given call instance. Such parameters are fundamental callparameters 612 common to any call. Since this example is a SIP protocolcall, there are specific SIP parameters which are analyzed and processedto identify call characteristics for call scam scoring anddeterminations on a call-by-call basis. Those skilled in the art willappreciate that other digital call platforms and protocols andparameters may be used to identify call characteristics and filter outcertain likely scam callers. The procedures described may not be limitedto merely SIP calling parameters.

In operation, certain common call characteristics may begin with a phonenumber of the “A” caller and a phone number of a “B” callee. Clearly, ascam caller will not continuously call the same “B” callee, but may berelying on a particular NPANXX call pattern of which the “B” callee is acandidate based on the first 6 digits of the “B” callee's telephonenumber. In general, an “A” caller is the first parameter to examine whencollecting call data for a scam scoring model. Also, during subsequentcalls which are compared to the scam model, the “A” caller will be aprimary parameter to create a comprehensive score which may be anexpression with multiple scoring parameters, the sum of which is thescam score. The scam score can then be compared to a threshold scamscore to determine whether to assign the call to a scam preventionaction, such as dropping the call or notifying the callee. During a callanalysis, an “A” caller phone number may be identified over a fixedperiod, such as 24 hours to identify the number of calls made duringsuch a time period. If that “A” caller telephone number exceeds a normalthreshold of calls in that allotted period of time, the “A” caller maybe identified as a number that is included on a call scam list ofpotential scammers. Historical call data may be collected over 30 daysand applied as a comparison basis to any active call received at anytime. The call data may be updated every 24 hours to create a new movingaverage of call parameters based on the last 30 days. A typical callscenario for any “A” caller may be no more than X calls per hour. If an“A” caller exceeds that number, then the scoring model may use the “A”caller parameter to increase the score of a call for subsequentlyreceived/identified calls originating from that “A” caller.

In general, the score for a single call may be based on a plurality ofparameter screenings and sub-scores. For example, an “A” caller may beflagged as potential scammer and the identification of that caller mayadd a score of +20, another parameter used to cross-reference thepotential scammer in the present call scenario may be the IP address. IPaddresses 614 are identified from SIP signaling and may be used as asecondary parameter to further increase a scam score from an “A” caller.The IP address may be known from previous call audit data and may alsobe linked to potential scam callers based on their known carrier's andtheir carrier's IP addresses used by their internalservers/routers/switches, etc. The IP address could add another scoringparameter of +20 to the call score. Other parameters from a digital SIPcall INVITE may include Max-Forwards 616 and content-length 618. Thoseadditional sub-parameters tend to be similar for calls originated from acommon carrier, a common location, etc., and thus during a call scoringscenario, the scam score may be +20 for having a max-forward and/orcontent-length score that is similar to a previously identified scoreassociated with a potential scammer. If the scores of the sub-parameterswere not the same or at least similar (+/−2, 3, etc.), then the scorewould not be incremented based on such additional parameters. However,in this example, if the phone call being screened at the present timehad a history of a known scammer “A” caller, a known IP address, a knownmax-forwards count and a known content-length count, then the likelihoodof the call being screened as scam would be high as the score would be+20(caller “A” number)+20 (known IP address), +20 (max-forwards) and +20(content-length). Assuming a scam score requires a 50 or more, thisparticular call would be screened as scam for exceeding the minimumthreshold score.

FIG. 6B illustrates a set of call message parameters being processed andcompared to historical call data according to example embodiments.Referring to FIG. 6B, the example 650 illustrates how the call historydata 652 can be compared to a current call data 654. The exampleprovides a different “A” caller number, however, call scammers mayfrequently use different numbers on a daily basis to increase theirchances at not being identified by a call scam filter service. The otherparameters are the same, and in this scenario, the IP address of one ormore SIP parameters may match 656 a previously flagged scammer usingsuch an IP address, whether the IP address is their own device or aserver/router used by their carrier. The other parameters 662 and 658are also identified as matched parameters, which increases the scamscore assuming the call history 652 indicated that such sub-parametersare known for a particular “A” caller and/or IP address primaryparameters, which would indicate a known scammer.

Another example for identifying an “A” caller and/or IP address as beingassociated with a potential scam caller may include identifying certaincalling patterns, such as short call durations, large volume callingand/or a threshold number of call failures via SIP signaling, such as“400” or “500” SIP call errors which would result from call scriptsidentifying numbers which are no longer valid callee numbers but whichwere attempted by the “A” caller. A certain number of call errors (e.g.,400 and 500 SIP error messages) in a given period of time may dictate ascam caller criteria used to rate the current call as a likely scamcall.

FIG. 6C illustrates an example of a current call having its callparameter data compared to established call parameter thresholds forscam scoring purposes according to example embodiments. Referring toFIG. 6C, the example 670 provides identifying various call parameterthreshold data 672 stored in call management tables after call auditdata is compiled, and comparing the suspect call scam datavalues/thresholds to current call data from an incoming call todetermine whether the call should be blocked. As the establishedthresholds are applied to the active call data, previous call data maybe identified and used to manipulate a counter which counts suspect calldata instances including the current call to identify whether thecurrent call 654 has exceeded a threshold. For example, certainthresholds may include call routing parameter-based thresholds, such as,phone number ‘A’ making ‘X’ calls per minute/hour/day, etc. Once thecaller ‘A’ is identified as having made a threshold number of calls, thecall ‘A’ telephone number may be linked to suspicious behavior andapplied a weight as a scam caller. The telephone number being linked toexcessive calls may alone invoke a weight that is higher than most orall other weights and designates the caller's number a scam caller basedon the scam call threshold scale of a weight that is over the scam callvalue threshold for a summed score. For example, if a call is scored forvarious parameters and compared against various thresholds and rules,the sum of all suspicious parameters may be used as a scam call score.However, the call routing parameters, such as ‘A’ caller telephonenumber may be weighted higher with a larger weight than other parameterswhen computing the score.

Another call routing parameter may be a called number NPANXX, meaningspecific called numbers that begins with the same 6 digits N-P-A-N-X-X.Scam callers may often seek to dial calls which have the same three,four, five, six, etc., digits in a sequential manner. Such detected callactions may be linked to suspicious behavior and may be identified by acounter measuring a total number of calls by a caller ‘A’ in a fixedtime period, and the threshold ‘X’ times may be set to then trigger ascam call score weight be applied to all calls received beyond thethreshold number of calls with those same 6 digits in a fixed timeperiod. The weight applied may be a larger weight then other parameterweights, however, the weight applied in this example may still be lessthan the weight applied to a specific phone number designated as a scamcaller since that weight may be the largest weight applied. Or, theweight applied may be the same as the phone number ‘A’ identifiedweight. Another call routing parameter may be the IP address of thecaller's device, the caller's network devices (e.g., routers, switches,etc.) operating on the caller's carrier network, and/or the IP addressof a called device. When those IP addresses are identified in call dataover a fixed period of time and for an excessive number of instances,then the IP addresses may exceed a set threshold and be deemed potentialscam identifiers which may be weighted with a weight that is less thanor similar to the weights applied to the caller's number and/or callednumbers linked to the caller.

In another example, the call session parameters may be SIP specificparameters which are identified as suspect/suspicious parameters fromprevious calls based on a threshold number of previous call parametersidentified. For example, a call length parameter “W” as an average timemeasured for connected calls may establish a threshold time. When callsreceived are associated with a particular caller telephone number and/orIP address, etc., then the call session parameter of “W” seconds may beidentified as the average length of call duration for that particularuser, then the call may be weighted with a certain weight value as oneparameter to increase the likelihood that the caller is a scam caller.Also, session call parameter values which are known to have beenreceived from a particular caller or IP address, such as max-forwards“MF”, content length “CL”, session timer “ST” and/or session expires“SE”, based on a previous number of calls over a fixed interval, mayhave been identified an excessive number of times over that interval. Asa result, any time the incoming call has those SIP session parametervalues, the call may be suspect/suspicious and additional weights may beapplied corresponding to those session values. In general, the sessionparameters may be linked to lesser weight assignments since the sessionvalues are secondary in their priority to routing parameters.

In one example of a current call 654, a scam score for an incoming callmay be determined by identifying a suspect caller's number “A” with aweight of 20, a suspect IP address associated with the caller, thecaller's carrier network devices, and/or the callee with a weight of 20,an average call duration of the caller being identified as “7” seconds,and expected values for: MF, CL, ST and/or SE (or within a range+/−2 orless), each of which are 10 points. The combined scam score is then20+20+10+10+10+10+10=90, and a scam call threshold may be any score over40. In this example, the current call may only have a phone number ofthe caller identified 676, a max forwards value identified 674, an IPaddress 678 identified, and a content length identified 680. Theidentification process suggests the values are known for that particularcaller via their phone number and/or their associated IP address, andthen the secondary parameters are checked, which in this case are themax forwards and the content length. The scam score may be 20(knowncaller number)+20(known IP address)+10(known max forward value)+10(knowncontent length value), for a total of 60. The threshold may only be 40,and thus in this case, the score is considered to be scam. The thresholdvalues represent values which have been identified a certain number oftimes to reach a meet or exceed threshold status, in which case any timethose values are received, they are identified as having exceeded theestablished threshold number of occurrences and thus will cause weightedvalues to be applied to the incoming call. A call that is not recognizedby its parameters will receive scores of zeros until a next audit occursand the values of incoming calls can be analyzed for adjustments to theexisting thresholds to identify the suspect callers.

In another example embodiment, instead of SIP parameter analysis, othercommunication protocols and the respective call data may be analyzed forscam call detection. For example, the integrated services digitalnetwork (ISDN) user part or (ISUP) is part of a signaling system No. 7(SS7) protocol hierarchy, which is used to set up telephone calls in thepublic switched telephone network (PSTN).

In operation, ISUP data traffic may, in some ways, be similar to SIPdata traffic. For example, an INVITE message used in SIP is similar toan ISUP IAM message. Those skilled in the art may have knowledge ofspecifications on how to convert SIP to ISUP and ISUP to SIP. There aremandatory fields in ISUP and SIP and over 50 optional parameters thatcan be included in an ISUP initial address message (IAM). In general,various communication parameters in ISUP signaling elements of an ISUPIAM message are not applicable to SIP and therefore ISUP has moreparameters which could be used to identify trends with call scams.

One example of ISUP signaling may provide:

service information octet

11.. ....=Network indicator: Reserved for national use (0x03)

..00 ....=Spare: 0x00

.... 0101=Service indicator: ISUP (0x05)

Routing label

.... .... .... .... ..10 1111 1000 0011=DPC: 12163

....1011 0100 0000 10.. .... .... ....=OPC: 11522

101 . .... .... .... .... .... ....=Signalling Link

-   -   Selector: 5

ISDN User Part

CIC: 213

Message type: Initial address (1)

Nature of Connection Indicators: 0x0

Mandatory Parameter: 6 (Nature of connection indicators)

.... ..00=Satellite Indicator: No Satellite circuit in

connection (0x00)

.... 00..=Continuity Check Indicator: Continuity check

not required (0x00)

...0 ....=Echo Control Device Indicator: Echo control device notincluded

Forward Call Indicators: 0xa001

-   -   Mandatory Parameter: 7 (Forward call indicators)    -   .... ...0 .... ....=National/international call indicator: Call        to be treated as national call    -   .... .00. .... ....=End-to-end method indicator: No End-to-end        method available (only link-by-link method available) (0x0000)    -   .... 0... .... ....=Interworking indicator: no interworking        encountered (No. 7 signalling all the way)    -   ...0 .... .... ....=End-to-end information indicator: no        end-to-end information available    -   ..1. .... .... ....=ISDN user part indicator: ISDN user part        used all the way    -   10.. .... .... ....=ISDN user part preference indicator: ISDN        user part required all the way (0x0002)    -   .... .... .... ....1=ISDN access indicator: originating access        ISDN    -   .... .... .... .00.=SCCP method indicator: No indication        (0x0000)    -   Calling Party's category: 0xa (ordinary calling subscriber)        -   Mandatory Parameter: 9 (Calling party's category)        -   Calling Party's category: ordinary calling subscriber (0x0a)    -   Transmission medium requirement: 2 (64 kbit/s unrestricted)        -   Mandatory Parameter: 2 (Transmission medium requirement)        -   Transmission medium requirement: 64 kbit/s unrestricted (2)    -   Called Party Number: 4891F        -   Mandatory Parameter: 4 (Called party number)        -   Pointer to Parameter: 2        -   Parameter length: 5        -   1... ....=Odd/even indicator: odd number of address signals        -   .000 0001=Nature of address indicator: subscriber number            (national use) (1)        -   1... ....=INN indicator: routing to internal network number            not allowed        -   .001 ....=Numbering plan indicator: ISDN

(Telephony) numbering plan (1)

Called Party Number: 4891F

-   -   .... 0100=Address signal digit: 4 (4)    -   1000....=Address signal digit: 8 (8)    -   .... 1001=Address signal digit: 9 (9)    -   0001 ....=Address signal digit: 1 (1)    -   .... 1111=Address signal digit: Stop sending (15)    -   E.164 Called party number digits: 4891F

Pointer to start of optional part: 7

Calling Party Number: 3933399708

-   -   Optional Parameter: 10 (Calling party number)    -   Parameter length: 7    -   0... ....=Odd/even indicator: even number of address signals    -   .000 0011=Nature of address indicator: national (significant)        number (3)    -   0... ....=NI indicator: complete    -   .001 ....=Numbering plan indicator: ISDN (Telephony) numbering        plan (1)    -   .... 01..=Address presentation restricted indicator:    -   presentation restricted (1)    -   .... ..11=Screening indicator: network provided (3)        Calling Party Number: 3933399708    -   .... 0011=Address signal digit: 3 (3)    -   1001 ....=Address signal digit: 9 (9)    -   .... 0011=Address signal digit: 3 (3)    -   11 .=Address signal digit: 3 (3)    -   .... 0011=Address signal digit: 3 (3)    -   1011....=Address signal digit: 9 (9)    -   ....1001=Address signal digit: 9 (9)    -   0111 ....=Address signal digit: 7 (7)    -   .... 0000=Address signal digit: 0 (0)    -   1000 ....=Address signal digit: 8 (8)        E.164 Calling party number digits: 3933399708        Optional forward call indicators: non-CUG call (128)

Optional Parameter: 8 (Optional forward call indicators)

-   -   Parameter length: 1    -   .... ..00=Closed user group call indicator: non-CUG call (0)    -   .... .0..=Simple segmentation indicator: no additional        information will be sent    -   1... ....=Connected line identity request indicator: requested

Access transport (5 bytes length)

-   -   Optional Parameter: 3 (Access transport)    -   Parameter length: 5    -   Access transport parameter field (->Q.931)    -   Low-layer compatibility        -   Information element: Low-layer compatibility        -   Length: 3        -   ...0 1000=Information transfer capability: Unrestricted            digital information (0x08)        -   .00 . ....=Coding standard: ITU-T standardized coding (0x00)        -   1... ....=Extension indicator: last octet        -   ...1 0000=Information transfer rate: 64 kbit/s (0x10)        -   .00 . ....=Transfer mode: Circuit mode (0x00)        -   1... ....=Extension indicator: last octet        -   ...0 0110=User information layer 1 protocol: Recommendation            H.223 and H.245 (0x06)        -   1... ....=Extension indicator: last octet    -   User service information, (3 bytes length)        -   Optional Parameter: 29 (User service information)        -   Parameter length: 3        -   User service information (->Q.931 Bearer_capability)        -   ...0 1000=Information transfer capability: Unrestricted            digital information (0x08)        -   .00 . ....=Coding standard: ITU-T standardized coding (0x00)        -   1... ....=Extension indicator: last octet        -   ...1 0000=Information transfer rate: 64 kbit/s (0x10)        -   .00 . ....=Transfer mode: Circuit mode (0x00)        -   1... ....=Extension indicator: last octet        -   ...0 0110=User information layer 1 protocol: Recommendation            H.223 and H.245 (0x06)        -   1... ....=Extension indicator: last octet    -   Propagation delay counter=100 ms    -   Optional Parameter: 49 (Propagation delay counter)    -   Parameter length: 2    -   Propagation delay counter=100 ms

Location number: 00600001

-   -   Optional Parameter: 63 (Location number)    -   Parameter length: 6    -   0... ....=Odd/even indicator: even number of address signals    -   .000 0011=Nature of address indicator: national (significant)        number (3)    -   1... ....=INN indicator: routing to internal network number not        allowed    -   .001 ....=Numbering plan indicator: ISDN (Telephony) numbering        plan (1)    -   ....00..=Address presentation restricted indicator: presentation        allowed (0)    -   .... ..11=Screening indicator: network provided (3)        Location number: 00600001    -   .... 0000=Address signal digit: 0 (0)    -   00 .=Address signal digit: 0 (0)    -   .... 0110=Address signal digit: 6 (6)    -   00 .=Address signal digit: 0 (0)    -   .... 0000=Address signal digit: 0 (0)    -   00 .=Address signal digit: 0 (0)    -   .... 0000=Address signal digit: 0 (0)    -   01 .=Address signal digit: 1 (1)        Parameter Type unknown/reserved (5 Bytes)

Optional Parameter: 244 (unknown)

Parameter length: 5

Parameter compatibility information (2 bytes length)

Optional Parameter: 57 (Parameter compatibility information)

Parameter length: 2

Upgraded parameter no: 1=unknown (244)

Instruction indicators: 0x90

-   -   .... ...0=Transit at intermediate exchange indicator: Transit        interpretation    -   .... ..0.=Release call indicator: do not release call    -   .... .0..=Send notification indicator: do not send notification    -   .... 0...=Discard message indicator: Do not discard message        (pass on)    -   ...1 ....=Discard parameter indicator: Discard parameter    -   .00 . ....=Pass on not possible indicator: Release call (0x00)    -   1... ....=Extension indicator: last octet        End of optional parameters (0).

Any of the ISUP parameters included in the above example of call data,may be identified, tracked, compared to certain frequency/filteringcriteria and may be flagged as indicative of a scam caller depending onthe parameter analysis being used to identify the scam callerlikelihood. Similar to the SIP scenario, the ISUP parameters may bereferenced, tracked and processed to identify scam likely behavior basedon known filtering criteria. The identified data can then be shared withnetwork servers throughout a carrier infrastructure to apply scamidentification to subsequent calls.

FIG. 7A illustrates a call system configuration for monitoring call dataand obtaining call scoring model data according to example embodiments.Referring to FIG. 7A, the system configuration 700 may include creatingtrainer framework for call processing clients. The process may includereceiving one or more data messages from callers 710 as call data to beanalyzed 712 via the call processing server(s) 720. The plurality ofcalls and corresponding call data (i.e., call parameters) from the oneor more messages are identified 714 and a call activity filter criteriamay be created and applied 716 so that the suspect parameters associatedwith a scam call or potentially associated with a scam call can belogged and added to the active filtering call parameter data forsubsequent call interrogation. The parameters which are consideredlikely or common to be scam are identified based on other historicaldata or by threshold comparisons for instances of such data which isconsidered to be exceeding an acceptable threshold (e.g., calls per day,calls per hour, same “a” caller, similar NPANXX call patterns over acertain number, etc.) Those suspect sub-sets of the call parameterswhich indicate an elevated likelihood of a call scam are used as a basisfor a scam score model which may be a set of call parameters andthresholds which are considered to be suspect and which must bemonitored via a scam score model filtering procedure for incoming callsreceived after the criteria is created. Also, the parameters may beupdated one at a time and/or intermittently so that all the callparameters, which are part of the scam score model and correspondingfilter criteria, are updated on an as needed basis. The method may alsoinclude forwarding the plurality of call parameters and the suspectsub-set of call parameters 718 to one or more call data tables stored inthe database 730, so the updates can be written to a call scam scoringtable. When the suspect parameters are identified, those parameters canbe compared 722 to known scam call data and thresholds to identifywhether the new parameters should be used as additional filteringcriteria since the tables were last updated on the call processingservers 720. The updated scoring model 724 can then be redistributed tothe servers for subsequent call monitoring of subsequently receivedcalls. The tables may include scam designation criteria, which mayinclude threshold scores for matching incoming call data.

The one or more data messages include SIP INVITE data messages, and theplurality of call parameters may include, but are not limited to one ormore of: a caller telephone number, a callee telephone number, an IPaddress of a caller device, an IP address of a callee device, an IPaddress of a device operating on the caller's network, an IP address ofa device operating on the callee's network, an average call duration ofcalls associated with the callee telephone number, and other SIPspecific parameters identified at least in FIG. 6A. The suspect sub-setof call parameters may include, in one example, a threshold number ofcall occurrences associated with a caller identity over a fixed periodof time. The identifying of the plurality of call parameters from thecall data is performed for the fixed period of time. The call activityfilter criteria includes a plurality of thresholds which when exceededduring the fixed period of time triggers the assigning of the one ormore scam designation threshold scores to the suspect sub-set of thecall parameters.

The method may also include transmitting the one or more call datatables to call processing servers, and publishing the one or more calldata tables to a call monitoring application operating on the callprocessing servers. The call data tables are based on call dataidentified over a fixed time interval of N minutes, wherein N is aninteger between 1-10 minutes and/or 1-30 days.

FIG. 7B illustrates a call system configuration for applying call datato current calls according to example embodiments. Referring to FIG. 7B,the system may provide an example method of operation 750 that includesidentifying a call from a caller and destined for a callee 752,receiving a data message associated with the call and processing thedata message information 754 to identify one or more call parameters.The call parameters of the call may be compared with one or more callparameters associated with an active call scam model 756 applied by thecall processing server 720. The call database 730 may forward thenecessary data 758 so the server 720 can match the model data to theactive call data received. Once the comparison is performed, the methodmay provide determining a scam score for the call based on the comparingof the one or more call parameters to the active call scam model appliedby the call processing server 762, and then a decision can be made aswhether to notify the callee that the call is a scam based on the scamscore based on the score 764.

The method may further include determining whether the scam scoreexceeds a scam score threshold, responsive to determining the scam scoreexceeds a scam score threshold, tagging the call with an identifier, andperforming at least one of notifying the callee that the call is a scamcall, blocking the call, and directing the call to voice mail, based onthe tagged identifier. When determining the scam score for the call themethod may include determining a plurality of scam scores based on aplurality of active call scam models assigned to the call processingserver, determining a composite score based on the plurality of scamscores from all the different servers, and applying the composite scoreas the scam score. Determining the scam score based on the active modelapplied by the call processing server is performed while the call isbeing processed and within a threshold call processing time frame. Themethod may also include tagging the call to be one or more of blocked,forwarded to voicemail, and accepted by the call recipient prior toconnecting the call to a call recipient device of the callee. The scamscore is further computed by comparing the caller number to a list ofknown scam caller telephone numbers and based on call durationsassociated with the caller telephone number. The data message includes aSIP INVITE message and the one or more call parameters include SIP callparameters.

FIG. 7C illustrates a call system configuration 770 for auditing calldata and obtaining updated scoring model data for call scam filteringaccording to example embodiments. Referring to FIG. 7C, the system maysupport a method of operation which includes forwarding call informationof various calls over a predefined period of time 772, collecting callmetric data over a predefined period of time for a plurality ofidentified calls 774, querying the call metric data to identify whetherone or more call filtering criteria parameters require changes,determining one or more call filtering criteria parameters requirechanges based on a deviation from one or more expected call metric datavalues included in the call metric data 776. The deviations may beidentified by comparing previous call data 778 and then modifying one ormore of the call filtering criteria parameters 782, and updating anactive call scam model stored on a call processing server based on theone or more call filtering parameters 784.

The updating of the active call scam model occurs every N minutes,wherein N is an integer equal to 1-10 minutes. The updating of theactive call scam model occurs by updating one or more scam call datatables stored on the call processing server. The predefined period oftime occurs every M days, wherein M is an integer equal to 30-90 days.The call metric data includes one or more of a number of calls per day,a percentage of calls which were blocked per day, a historic percentageof calls which were blocked on one or more previous days, a timestamp ofblocked calls, phone number occurrences of callers, phone numbersoccurrences of callees, local exchange routing guide (LERG) information,a first call scam model average score assigned to calls, a second callscam model average score assigned to calls. The deviation from the oneor more expected call metric data values included in the call metricdata comprises one or more actual call metric data values being lessthan or greater than a deviation threshold value from the one or moreexpected call metric data values. The collecting of the call metric dataover the predefined period of time for the plurality of identified callsis performed to a plurality of call processing servers each with uniquecall metric data.

FIG. 7D illustrates a call system configuration for applying callmanagement scam filtering to call data for an incoming call according toexample embodiments. Referring to FIG. 7D, the method 790 may includeidentifying call data associated with a received call sent 791 from acaller 710, identifying a plurality of call parameters from the calldata, the plurality of call parameters including one or more callrouting parameters associated with call routing of the call and one ormore call session parameters associated with a call session of the call792, forwarding call filter data and call threshold data 793 which isbased on known call scam calls in recent scam builds which apply scamfilter criteria. The method may also include assigning weights to one ormore of the call routing parameters and the call session parameters 794,determining a scam score for the call based on a sum of the weightsapplied to the call routing parameters and the call session parameters795, and blocking the call when the scam score is greater than or equalto a predetermined threshold scam score 796. The method may also includecomparing the one or more call routing parameters to one or more callrouting parameter thresholds, and applying weights to the call routingparameters which meet or exceed the one or more call routing parameterthresholds.

The method may also include comparing the one or more call sessionparameters to one or call session parameter thresholds among the callparameters, and applying weights to the call session parameters whichmeet or exceed the one or more call session parameter thresholds. Theweights applied to the call session parameters, in one example, arelower valued weights than the weights applied to the call routingparameters. The call session parameters include one or more sessioninitiation protocol (SIP) specific parameters comprising one or more ofmaximum forwards, timer values, session expires, and content length. Thecall routing parameters include one or more of a caller phone number, aspecific 3-6 digit ‘NPA-NXX’ called number, an IP address of the caller,an IP address of a routing device on the caller's carrier network, andan IP address of a callee. The call routing parameters and the callsession parameters which do not meet or exceed corresponding callrouting parameter thresholds and call session parameter thresholds arenot assigned weights.

FIG. 8 illustrates a logic diagram with example data input and outputparameters for performing call processing according to exampleembodiments. Referring to FIG. 8, the control logic platform 800includes a control logic module/processor 840 which is responsible forreceiving input data, such as calls 810, the call parameters 820,retrieved call data 832, scam models 834, active call filtering data830, etc., as conditional data used to apply to the call data that isreceived to identify call parameters and call scam scores for callfiltering. The output of the logic 840 results in certain parameters,such as caller ‘A’ information 812, IP address information 814, maxlengths 816, max forwards 818 and updated filter criteria 822. Theupdated data can be used to filter new calls for scam potential and theactive call parameters can be screened for suspicious activity.

The operations of a method or algorithm described in connection with theembodiments disclosed herein may be embodied directly in hardware, in acomputer program executed by a processor, or in a combination of thetwo. A computer program may be embodied on a computer readable medium,such as a storage medium. For example, a computer program may reside inrandom access memory (“RAM”), flash memory, read-only memory (“ROM”),erasable programmable read-only memory (“EPROM”), electrically erasableprogrammable read-only memory (“EEPROM”), registers, hard disk, aremovable disk, a compact disk read-only memory (“CD-ROM”), or any otherform of storage medium known in the art.

FIG. 9 is not intended to suggest any limitation as to the scope of useor functionality of embodiments of the application described herein.Regardless, the computing node 900 is capable of being implementedand/or performing any of the functionality set forth hereinabove.

In computing node 900 there is a computer system/server 902, which isoperational with numerous other general purpose or special purposecomputing system environments or configurations. Examples of well-knowncomputing systems, environments, and/or configurations that may besuitable for use with computer system/server 902 include, but are notlimited to, personal computer systems, server computer systems, thinclients, rich clients, hand-held or laptop devices, multiprocessorsystems, microprocessor-based systems, set top boxes, programmableconsumer electronics, network PCs, minicomputer systems, mainframecomputer systems, and distributed cloud computing environments thatinclude any of the above systems or devices, and the like.

Computer system/server 902 may be described in the general context ofcomputer system-executable instructions, such as program modules, beingexecuted by a computer system. Generally, program modules may includeroutines, programs, objects, components, logic, data structures, and soon that perform particular tasks or implement particular abstract datatypes. Computer system/server 902 may be practiced in distributed cloudcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network. In adistributed cloud computing environment, program modules may be locatedin both local and remote computer system storage media including memorystorage devices.

As shown in FIG. 9, computer system/server 902 in cloud computing node900 is shown in the form of a general-purpose computing device. Thecomponents of computer system/server 902 may include, but are notlimited to, one or more processors or processing units 904, a systemmemory 906, and a bus that couples various system components includingsystem memory 906 to processor 904.

The bus represents one or more of any of several types of busstructures, including a memory bus or memory controller, a peripheralbus, an accelerated graphics port, and a processor or local bus usingany of a variety of bus architectures. By way of example, and notlimitation, such architectures include Industry Standard Architecture(ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA)bus, Video Electronics Standards Association (VESA) local bus, andPeripheral Component Interconnects (PCI) bus.

Computer system/server 902 typically includes a variety of computersystem readable media. Such media may be any available media that isaccessible by computer system/server 902, and it includes both volatileand non-volatile media, removable and non-removable media. System memory906, in one embodiment, implements the flow diagrams of the otherfigures. The system memory 906 can include computer system readablemedia in the form of volatile memory, such as random-access memory (RAM)910 and/or cache memory 912. Computer system/server 902 may furtherinclude other removable/non-removable, volatile/non-volatile computersystem storage media. By way of example only, storage system 914 can beprovided for reading from and writing to a non-removable, non-volatilemagnetic media (not shown and typically called a “hard drive”). Althoughnot shown, a magnetic disk drive for reading from and writing to aremovable, non-volatile magnetic disk (e.g., a “floppy disk”), and anoptical disk drive for reading from or writing to a removable,non-volatile optical disk such as a CD-ROM, DVD-ROM or other opticalmedia can be provided. In such instances, each can be connected to thebus by one or more data media interfaces. As will be further depictedand described below, memory 906 may include at least one program producthaving a set (e.g., at least one) of program modules that are configuredto carry out the functions of various embodiments of the application.

Program/utility 916, having a set (at least one) of program modules 918,may be stored in memory 906 by way of example, and not limitation, aswell as an operating system, one or more application programs, otherprogram modules, and program data. Each of the operating system, one ormore application programs, other program modules, and program data orsome combination thereof, may include an implementation of a networkingenvironment. Program modules 918 generally carry out the functionsand/or methodologies of various embodiments of the application asdescribed herein.

As will be appreciated by one skilled in the art, aspects of the presentapplication may be embodied as a system, method, or computer programproduct. Accordingly, aspects of the present application may take theform of an entirely hardware embodiment, an entirely software embodiment(including firmware, resident software, micro-code, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to herein as a “circuit,” “module” or “system.”Furthermore, aspects of the present application may take the form of acomputer program product embodied in one or more computer readablemedium(s) having computer readable program code embodied thereon.

Computer system/server 902 may also communicate with one or moreexternal devices 920 such as a keyboard, a pointing device, a display922, etc.; one or more devices that enable a user to interact withcomputer system/server 902; and/or any devices (e.g., network card,modem, etc.) that enable computer system/server 902 to communicate withone or more other computing devices. Such communication can occur viaI/O interfaces 924. Still yet, computer system/server 902 cancommunicate with one or more networks such as a local area network(LAN), a general wide area network (WAN), and/or a public network (e.g.,the Internet) via network adapter 926. As depicted, network adapter 926communicates with the other components of computer system/server 902 viaa bus. It should be understood that although not shown, other hardwareand/or software components could be used in conjunction with computersystem/server 902. Examples include, but are not limited to: microcode,device drivers, redundant processing units, external disk drive arrays,RAID systems, tape drives, and data archival storage systems, etc.

Although an exemplary embodiment of at least one of a system, method,and non-transitory computer readable medium has been illustrated in theaccompanied drawings and described in the foregoing detaileddescription, it will be understood that the application is not limitedto the embodiments disclosed, but is capable of numerous rearrangements,modifications, and substitutions as set forth and defined by thefollowing claims. For example, the capabilities of the system of thevarious figures can be performed by one or more of the modules orcomponents described herein or in a distributed architecture and mayinclude a transmitter, receiver or pair of both. For example, all orpart of the functionality performed by the individual modules, may beperformed by one or more of these modules. Further, the functionalitydescribed herein may be performed at various times and in relation tovarious events, internal or external to the modules or components. Also,the information sent between various modules can be sent between themodules via at least one of: a data network, the Internet, a voicenetwork, an Internet Protocol network, a wireless device, a wired deviceand/or via plurality of protocols. Also, the messages sent or receivedby any of the modules may be sent or received directly and/or via one ormore of the other modules.

One skilled in the art will appreciate that a “system” could be embodiedas a personal computer, a server, a console, a personal digitalassistant (PDA), a cell phone, a tablet computing device, a smartphoneor any other suitable computing device, or combination of devices.Presenting the above-described functions as being performed by a“system” is not intended to limit the scope of the present applicationin any way but is intended to provide one example of many embodiments.Indeed, methods, systems and apparatuses disclosed herein may beimplemented in localized and distributed forms consistent with computingtechnology.

It should be noted that some of the system features described in thisspecification have been presented as modules, in order to moreparticularly emphasize their implementation independence. For example, amodule may be implemented as a hardware circuit comprising custom verylarge-scale integration (VLSI) circuits or gate arrays, off-the-shelfsemiconductors such as logic chips, transistors, or other discretecomponents. A module may also be implemented in programmable hardwaredevices such as field programmable gate arrays, programmable arraylogic, programmable logic devices, graphics processing units, or thelike.

A module may also be at least partially implemented in software forexecution by various types of processors. An identified unit ofexecutable code may, for instance, comprise one or more physical orlogical blocks of computer instructions that may, for instance, beorganized as an object, procedure, or function. Nevertheless, theexecutables of an identified module need not be physically locatedtogether but may comprise disparate instructions stored in differentlocations which, when joined logically together, comprise the module andachieve the stated purpose for the module. Further, modules may bestored on a computer-readable medium, which may be, for instance, a harddisk drive, flash device, random access memory (RAM), tape, or any othersuch medium used to store data.

Indeed, a module of executable code could be a single instruction, ormany instructions, and may even be distributed over several differentcode segments, among different programs, and across several memorydevices. Similarly, operational data may be identified and illustratedherein within modules and may be embodied in any suitable form andorganized within any suitable type of data structure. The operationaldata may be collected as a single data set or may be distributed overdifferent locations including over different storage devices, and mayexist, at least partially, merely as electronic signals on a system ornetwork.

It will be readily understood that the components of the application, asgenerally described and illustrated in the figures herein, may bearranged and designed in a wide variety of different configurations.Thus, the detailed description of the embodiments is not intended tolimit the scope of the application as claimed but is merelyrepresentative of selected embodiments of the application.

One having ordinary skill in the art will readily understand that theabove may be practiced with steps in a different order, and/or withhardware elements in configurations that are different than those whichare disclosed. Therefore, although the application has been describedbased upon these preferred embodiments, it would be apparent to those ofskill in the art that certain modifications, variations, and alternativeconstructions would be apparent.

While preferred embodiments of the present application have beendescribed, it is to be understood that the embodiments described areillustrative only and the scope of the application is to be definedsolely by the appended claims when considered with a full range ofequivalents and modifications (e.g., protocols, hardware devices,software platforms etc.) thereto.

What is claimed is:
 1. A method comprising: receiving one or more datamessages; identifying a plurality of calls and corresponding call datafrom the one or more messages; identifying a plurality of callparameters from the call data; determining one or more patterns from thecall data that are different from phone numbers or message addresses;applying a call activity filter criteria to the one or more patterns toidentify a suspect sub-set of the call parameters which indicate anelevated likelihood of call scam; forwarding the plurality of callparameters and the suspect sub-set of call parameters to one or morecall data tables; assigning one or more scam designation thresholdscores to the suspect sub-set of the call parameters in the one or morecall data tables; and generating information to block the call fromreaching a destination user device based on the one or more scamdesignation threshold scores.
 2. The method of claim 1, wherein the oneor more data messages comprise SIP INVITE data messages, and wherein theplurality of call parameters comprise an average call duration of callsassociated with the callee telephone number.
 3. The method of claim 1,wherein the one or more patterns include a number of call occurrencesassociated with a caller identity over a fixed period of time andwherein the call activity filter criteria includes a predeterminedthreshold number of call occurrences.
 4. The method of claim 3, whereinthe identifying of the plurality of call parameters from the call datais performed for the fixed period of time.
 5. The method of claim 3,wherein the call activity filter criteria comprises one or morethresholds which when exceeded during the fixed period of time triggersthe assigning of the one or more scam designation threshold scores tothe suspect sub-set of the call parameters.
 6. The method of claim 1,further comprising: transmitting the one or more call data tables tocall processing servers; and publishing the one or more call data tablesto a call monitoring application operating on the call processingservers.
 7. The method of claim 6, wherein the call data tables arebased on call data identified over a fixed time interval of N minutes,wherein N is an integer between 1-10 minutes.
 8. An apparatuscomprising: a receiver configured to receive one or more data messages;and a processor configured to identify a plurality of calls andcorresponding call data from the one or more messages; identify aplurality of call parameters from the call data; determine one or morepatterns from the call data that are different from phone numbers ormessage addresses; apply a call activity filter criteria to the one ormore patterns to identify a suspect sub-set of the call parameters whichindicate an elevated likelihood of call scam; forward the plurality ofcall parameters and the suspect sub-set of call parameters to one ormore call data tables; assign one or more scam designation thresholdscores to the suspect sub-set of the call parameters in the one or morecall data tables; and generate information to block the call fromreaching a destination user device based on the one or more scamdesignation threshold scores.
 9. The apparatus of claim 8, wherein theone or more data messages comprise SIP INVITE data messages, and whereinthe plurality of call parameters comprise an average call duration ofcalls associated with the callee telephone number.
 10. The apparatus ofclaim 8, wherein the one or more patterns include a number of calloccurrences associated with a caller identity over a fixed period oftime and wherein the call activity filter criteria includes apredetermined threshold number of call occurrences.
 11. The apparatus ofclaim 10, wherein the identification of the plurality of call parametersfrom the call data is performed for the fixed period of time.
 12. Theapparatus of claim 10, wherein the call activity filter criteriacomprises one or more of thresholds which when exceeded during the fixedperiod of time triggers the assigning of the one or more scamdesignation threshold scores to the suspect sub-set of the callparameters.
 13. The apparatus of claim 8, further comprising: atransmitter configured to transmit the one or more call data tables tocall processing servers; and wherein the processor is further configuredto publish the one or more call data tables to a call monitoringapplication operating on the call processing servers.
 14. The apparatusof claim 13, wherein the call data tables are based on call dataidentified over a fixed time interval of N minutes, wherein N is aninteger between 1-10 minutes.
 15. A non-transitory computer readablestorage medium configured to store instructions that when executed causea processor to perform: receiving one or more data messages; identifyinga plurality of calls and corresponding call data from the one or moremessages; identifying a plurality of call parameters from the call data;determining one or more patterns from the call data that are differentfrom phone numbers or message addresses; applying a call activity filtercriteria to the one or more patterns to identify a suspect sub-set ofthe call parameters which indicate an elevated likelihood of call scam;forwarding the plurality of call parameters and the suspect sub-set ofcall parameters to one or more call data tables; assigning one or morescam designation threshold scores to the suspect sub-set of the callparameters in the one or more call data tables; and blocking the callfrom reaching a destination user device based on the one or more scamdesignation threshold scores.
 16. The non-transitory computer readablestorage medium of claim 15, wherein the one or more data messagescomprise SIP INVITE data messages, and wherein the plurality of callparameters comprise an average call duration of calls associated withthe callee telephone number.
 17. The non-transitory computer readablestorage medium of claim 15, wherein the one or more patterns include anumber of call occurrences associated with a caller identity over afixed period of time and wherein the call activity filter criteriaincludes a predetermined threshold number of call occurrences.
 18. Thenon-transitory computer readable storage medium of claim 17, wherein theidentifying of the plurality of call parameters from the call data isperformed for the fixed period of time.
 19. The non-transitory computerreadable storage medium of claim 17, wherein the call activity filtercriteria comprises one or more thresholds which when exceeded during thefixed period of time triggers the assigning of the one or more scamdesignation threshold scores to the suspect sub-set of the callparameters.
 20. The non-transitory computer readable storage medium ofclaim 15, wherein the processor is further configured to perform:transmitting the one or more call data tables to call processingservers; and publishing the one or more call data tables to a callmonitoring application operating on the call processing servers, andwherein the call data tables are based on call data identified over afixed time interval of N minutes, wherein N is an integer between 1-10minutes.